Beware the weakest link

As business ecosystems become more integrated and the number of third-party partners and suppliers grows, supply chain risk should be a top-line agenda item for directors and management alike. Our report, with a five-step guide for boards, can helpBy Jim Middlemiss

When the world’s seventh-largest container shipping line, Hanjin Shipping Co., filed for bankruptcy protection at the end of August, it left retailers, manufacturers and resource companies around the world scrambling and fearing the worst. Dozens of container-ships and tankers carrying much-needed cargo and oil were either seized at port or left drifting on the open sea unable to dock and unload (including one in the harbour at Prince Rupert, B.C.).

The ripple effects of this business failure are still being felt. Initial impacts involved the ports, ship owners (Seaspan Corp., for example, which is based in Hong Kong but has major operations in Vancouver, owns several ships in Hanjin’s fleet), and others close to the affected operations. But every company whose wares are on any of Hanjin’s ships will eventually feel the squeeze when important goods, parts or other supplies don’t reach factories, stores and distribution depots as planned. Electronics giant LG Electronics Inc., one of the first affected manufacturers that surfaced, had to cancel orders, find new shippers and put into place contingency plans in the event goods were seized.

Hanjin’s collapse highlights the worst-case scenario companies face when their supply chain suddenly breaks down, throwing a wrench into well-laid plans and business strategies. It also represents just one facet in an array of supply chain risks that are being mismanaged by the world’s corporations to the tune of more than US$200 billion in losses annually, according to Thomson Reuters. Other major areas of supply chain risk include resource shortages, natural disasters, fraud, illegal/child labour, illegal components (i.e., conflict minerals), compliance failure and reputational damage, to name just a few.

Daniel Desjardins, senior vice-president, general counsel and corporate secretary at Bombardier Inc. (TSX:BBD.B), which sources parts from around the world for the trains and planes it makes, deal with global supply chain risk daily. “You have to look at it from a costing perspective, the capacity to deliver and from the strength of a supplier,” says Desjardins. “If the supplier goes belly-up on you, you have an issue. It’s all about the risk. There will always be risk.”

Desjardins is responsible for corporate governance and Bombardier’s insurance and risk management programs—a critical component of supply chain oversight. He heads a legal team of 175 lawyers in 17 countries whose responsibilities include the thousands of pages of procurement contracts that Bombardier relies on to source parts and land bids.

The question facing companies when looking at their supply chain, he says, is “what kind of risk can you tolerate for the price [of the goods you purchase]?”

Cost, complexity and conflicting regulation define supply chain management, says Daniel Desjardins, senior vice-president, general counsel and corporate secretary at Bombardier: “It’s all about the risk. There will always be risk”

He notes that while supply chains and risk are ubiquitous, they are not uniform. “Our supply chain risk is very different than a bank.”

When Bombardier was designing its new C Series jet, it meant using suppliers that also serviced their biggest competitors. “We’ve got the same suppliers as Boeing and Airbus,” he says, noting it’s a “highly specialized” industry. “You have to make sure you have the right supplier and knowledge.” He says it’s the same in the train-building business. “There is not that many brake providers for trains around the world.”

The question then becomes, “how do you source from a strategy perspective with the right supplier and the right terms and conditions? Sourcing is really an art.”

Andrea Strongitharm, the managing director who leads the strategy, operations and supply chain practice in Canada at Accenture, notes that a supply chain is critical to a company’s health and welfare, and with globalization, such chains are becoming “vast” and complex. A glitch or speed bump, she says, “can affect the stability or viability of any business. It’s critical to everything the company does.”

In many ways, the supply chain can be thought of as a multi-headed Hydra lurking within the bowels of an organization waiting to lash out with little warning. It has every risk a board could imagine—from financial, as in the case of Hanjin’s failure, to operational, reputational, strategic and compliance.

If you think your company is immune, you’re wrong. The corporate battle field is strewn with victims of the Hydra’s carnage. Some CEOs have lost their jobs over botched supply chains stemming from mergers. For example, earlier this year Empire Co. Ltd. (TSX:EMP.A) said goodbye to Marc Poulin after its $5.8-billion purchase of Safeway Canada left customers of the western grocery retailer tweeting pictures of empty shelves. Along with losing Poulin, the Atlantic-based food giant was forced to swallow a $2.9-billion writedown on its western investment.

In many cases, though, it’s the corporate reputation that ends up bruised and in tatters. Both the high-profile Home Depot and Target cybersecurity breaches, which led to the loss of consumer credit card information, were traced to third-party vendors those companies relied on. In Target’s case, it was an HVAC vendor that had access to the corporate systems. Both retailers eventually paid out millions to rectify the problems.

Then there is Canada’s other food giant, Loblaw Companies Ltd. (TSX:L) It became embroiled in controversy and a $2-billion class action suit in 2015 after Rana Plaza, which housed the Bangladeshi garment factory that made the Loblaw-branded Joe Fresh clothing, as well as factories for other brands, collapsed in 2013 and killed more than 1,000 people. The lawsuit, which is slated for a certification hearing next April, alleges that under Loblaw’s corporate responsibility standards, the company “voluntarily undertook the responsibility to ensure that the buildings in which Joe Fresh garments were manufactured were structurally sound and met Loblaw’s own publically [sic] adopted minimum standards for worker and building safety.” Loblaw has denied liability and is fighting the suit.

Natural disasters can also take their toll on supply chains. The 2011 earthquake and Tsunami off the east coast of Japan disrupted the automotive supply chain, while Thai flooding in October 2011 knocked out semiconductor manufacturing, temporarily turning out the lights on the electronics industry. Other risks that can impact both compliance and reputational risk are conflict minerals ending up in the supply chain, a legal no-no under new laws, and child or forced labour.

With so much at stake for companies in their often complex and growing supply chain—essentially the DNA of their organization—it raises an important question: are corporate directors paying enough attention to it?

That depends, say experts. “I think they are thinking about it,” says Barry Cross, a lecturer in operations management at Queen’s University School of Business who worked as a senior executive for 17 years at Magna International, Autosystems and Dupont before teaching. “I don’t think they have a good grasp of the risk and what they are actually facing.”

Bernie Donachie, the global supply chain lead at Protiviti, a global risk consulting firm, says the “level of interest or sophistication in terms of the supply chain varies with almost every board.”

The problem, he says, is that boards “don’t think about the supply chain until they are in trouble. They need to understand that $1 in supply chain spending, as a general rule, is worth $5 in revenue.”

When that revenue is disrupted, or put at risk, then it becomes more than a management issue, it’s a board headache.

So, what should boards be doing when it comes to supply chain risk? Here’s a five-step guide to what the experts say directors need to think about.

1. Know the Basics of Your Supply Chain

The first thing directors need to understand are the basics of their supply chain so they can better appreciate where the risk lies.

One starting point is a Protiviti study that identified the top three supply chain and procurement risks: supply interruption risk, lack of a senior executive-led sales and operations planning process, and lack of timely and accurate information and spend analysis capabilities.

Rob Klassen, an operations management professor at the Ivey Business School at the University of Western Ontario, says the first question boards should be asking management is “where do you source from and what are the critical issues in your industry?”

“Boards count on the controls that are in place,” he says, but they need to probe deeper.

Accenture’s Strongitharm says boards should also be asking management “what methods they have in place to identify, monitor and mitigate” their supply chain risk.

Cross notes that an overreaching supply chain is hard to manage, costly and partly out of tune with today’s focus on social responsibility from an environmental standpoint. “People overlook logistics and distance,” he says. “Typically, they underestimate the amount of resources it is going to take to work with a supplier.”

For example, he says, if the supplier is halfway around the world, and a problem develops at a plant related to quality, it can take a company one or two days simply to get their own people on the ground to help solve the technical problem. “They haven’t thought about that.”

He says boards “should be pushing back on long supply chains because of the impact on the environment.” He notes that there is a trend in the U.S. to re-shoring manufacturing jobs.

Similarly, Strongitharm warns, that being too dependent on a couple of suppliers is equally problematic. “If they fail, you fail.”

2. Check the Supplier Alignment

Many companies have in place codes of conduct that apply to first-tier suppliers. However, experts note, often the problems arise at the second or third tier of the supply chain (a supplier’s supplier). That means pushing management to ensure that your suppliers are owing their obligations to your company through their own supply chain and pushing it down to the next level.

Cross says it is important suppliers have the “same level of urgency and priority” as the company and that efforts are aligned.

He says this requires resources, because it might mean “having guys live at the suppliers’ locations following up and checking.” Building periodic audit requirements into contracts is another protective measure many experts recommend.

Protiviti’s Donachie says it means getting tough with suppliers and pushing back. He tells the story of one client that was given six months to get its data security up to speed in its own supply chain or one of its major banking clients would cut the rm loose. He’s also seen instances where rms have managed their risk down to the third and fourth tier in a supply chain, but that’s not easy to do.

The level of regulation an industry faces makes the need to drill down into the chain even more imperative. For example, Desjardins cites the complex European Union’s REACH health and environment legislation (the acronym stands for Registration, Evaluation, Authorization and Restriction of Chemicals). It impacts everything from the paint to the glue and fibres used in manufacturing. “It’s thousands and thousands of pages of regulations on what goes into a product and what you have to disclose,” he explains. So if you or one of your second- or third-tier suppliers are using a Cambodian company to source parts, he says, that supplier has to understand the requirements. “Our duty is to educate the end maker.”

3. Are Audits Up to Standard?

Simon Lewchuk, senior policy adviser for sustainable economic development at the non-governmental organization World Vision, which has studied the Canadian supply chain as it pertains to risky goods imported into the country, says one of the biggest failings his organization encounters are supply chain audits. They often lack teeth and companies are too opaque in their disclosures about efforts to combat child and forced labour, one of the NGO’s main battlegrounds. What he wants boards to understand is that “these are material business risks. They affect your reputation and valuation.”

He admits that “nobody wants to disclose they have child-enforced labour in their supply chains,” but there is a good chance they do based on his group’s findings (see sidebar, “Child labour: are you at risk?” at bottom, ). “We aren’t expecting perfection, but we are expecting to see companies being proactive.”

Where companies need to do better, he says, is on the audit and disclosure front. He says it’s one thing to publicly state you are against child labour, but back it up by releasing the audit results, he suggests. “Listing audit results is a great way that companies can demonstrate to consumers and investors that it is not just saying we conduct audits, but here are our findings. It shows more than just a commitment living on paper.”

In response to these suggestions, many major clothing brands have begun disclosing lists of all of the factories where their goods are made. The most recent, in mid-September, was Gap Inc. Mountain Equipment Co-op is one Canadian firm that signed on previously; in 2013, Hudson’s Bay Co. (TSX:HBC) said it would do likewise.

Experts agree that supplier audits are a cornerstone of a supply chain risk management system; however, audits have to have teeth and ramifications for suppliers to be effective.

Cross says the supplier code has to be clear that your company will not tolerate the use or application of child labour and then you have to enforce it. “If somebody violates it, then bust them quickly,” he urges.

The statement of claim in the Loblaw’s lawsuit focuses on the audits and the company the grocer hired to conduct them, Bureau Veritas Consumer Products Services (BD) Ltd., which is part of group of companies owned by publicly traded Paris-based Bureau Veritas SA. The claim alleges that the Bureau Veritas group of defendants breached their duty of care by “failing to conduct necessary factory and building safety audits and inspections and by failing to properly notify Loblaw of safety issues detected by them at Rana Plaza.”

4. Incorporate Redundancy

Experts say it’s impossible to eliminate risk entirely in a supply chain, but it can be mitigated through planning and thought. Boards should ask management what type of back-up plans they have built into the supply chain system. Cross says it’s important that companies “build some redundancy” into the system, particularly if there are only one or two suppliers for anything strategic.

“It might require a little bit more investment up front, but it reduces risk by orders of magnitude, especially if suppliers are at a great distance,” he says.

In Bombardier’s case, Desjardins says the company watches things like union negotiations and potential strike action involving suppliers. In that case, he says, “you can ask the supplier to double up on delivery and stack things up for a while. Those are things you need to do.”

That only works, however, if the account manager who oversees the supplier is aware of what’s going on. To be successful, he says, managing supply chain risk must be a holistic endeavour that drills down throughout an organization and its various divisions and business lines. “It’s not done from the corporate office. Everybody has got to manage risk.”

The experts also stress the need to have in place robust information and technology systems to provide insight into the supply chain to better assess and understand the needs and risk. “If you have data analytics and value analytics, you can do a good job at managing your third-party risk,” says Donachie.

5. Is Supply Chain at the Table?

That brings us to one of the most critical issues facing the supply chain and that’s how management views its supply chain experts, says Strongitharm.

Are they merely order takers who are told by divisions to secure goods and services? Or do your company’s supply chain experts “have a seat at the table” and are they in on the ground floor of key business decisions involving the goods or services the company produces, Strongitharm asks.

“A lot of times the supply chain is seen as executers: ‘I need this, go and get it.’ ”

However, she says, that attitude overlooks one of the drivers of supply chain risk, which is “demand volatility.” Having the supply chain at the table where the demand is created, she says, improves forecasting and allows the experts overseeing the supply to add value and input. It allows them to “inform the business how best to meet demands and become collaborators rather than being order takers.”

Do this, in other words, and managing your supply chain effectively doesn’t just allay risk but it also has the potential to become a competitive advantage.

Skill set is another related area, she says, that is often overlooked when it comes to managing supply chain risk. It’s about having the skills within the company to identify the risk and the expertise to monitor it and mitigate it. “It shouldn’t be assumed that people know how to do that.”

LOOKING THROUGH HIS future lens, Bombardier’s Desjardins predicts that supply chain risk will grow more complex, particularly as governments look to regulate in the area of social responsibility.

“Water is going to be important,” he says. For some industries, such as beverages and certain types of manufacturing, it’s the life-blood.

Cross agrees, adding, “it’s going to be more expensive than gas and oil—the type of things that wars get fought over.”

Ultimately, Desjardins says, overseeing a supply chain in a global economy with differing laws, rules and regulations isn’t easy. “Many times we are faced with conflicting regulation around the world. It becomes very hard to be efficient. At the end of the day, whether it’s the water issue or conflict minerals, the rules should be the same, but they are not. How you deal with that complexity and conflicting regulation—that’s where some struggle,” he says. “All of us mean well and we want to do the right thing.”

SIDEBAR: Child labour: are you at risk?Many Canadian firms’ supply chains are exposed in this area, says a World Vision report

Simon Lewchuk has seen the worst and the best of supply chains. He is the Ottawa-based senior policy adviser for sustainable economic development at the non-governmental organization World Vision, which works to better children’s lives. That includes fighting child and forced labour—a global problem involving an estimated 168 million children, according to the International Labour Organization.

In June, World Vision published an eye-opening Canadian supply chain risk report looking at general retailers, textile and apparel companies, food companies and electronics manufacturers to “identify ‘risky products’ that may be reaching stores in Canada.”

While World Vision’s mandate is child welfare, there are stark lessons in the report for a great many Canadian companies that are not being transparent in their efforts to reduce the risk of child labour in the supply chain. Beyond the ethical reality, such neglect opens them up to future reputational damage, lawsuits, even potential criminal exposure. Canadian companies haven’t really “internalized these issues,” Lewchuk says.

In its study, World Vision examined 50 of the 136 products that are at the highest risk of being produced by child labour, according to the U.S. Department of Labor—things like coffee, chocolate, toys, footwear, silver and textiles. Those 50 accounted for $34.3 billion in Canadian imports in 2015.

World Vision identified 1,264 Canadian companies that “contain links to goods and countries with high incidences of child or forced labour.” Of that, 828 (65%) were headquartered in Canada, and 235 (18.6%) were publicly traded.

It assessed companies in four sectors against seven categories of reporting: public commitment to fight child labour, its supplier code of conduct, training, auditing, availability of audit results, grievance and remedy procedures, and standalone disclosure.

Companies highlighted in the report often did OK when it came to making a public commitment or in the area of making available their supplier code of conduct. However, when it came training, audit results, a grievance or remedy procedure and standalone disclosure, most did poorly.

Food producers and wholesalers were the worst of all, barely registering in any of the categories, even though 60% of child labourers toil in jobs like farming and fishing. The overall results are a concern for Lewchuck. “Canadian companies cannot afford to ignore it. Sooner or later they are going to be forced to address these issues.”—J.M.